From: Andrew Tridgell
Subject: tip of the week (strace & ltrace)
Date: Tue, 9 Nov 1999 01:53:26 +1100
I can just imagine the jokes about "tip of the year" give the time
since my last tip :)
This tip is courtesy of a question asked by our ISP neighbors in
Canberra. One of the ISPs engineers came in today asking why it was
really slow for some of their customers to connect to the SMTP port on
their servers while other clients got in instantly. He knew about
using telnet to the SMTP port and he found that "telnet server 25"
took about 30 seconds to give the sendmail banner back from this one
client whereas it took less than a second for all other clients.
While we knew what the likely answer was (and luckily we were right!)
the more interesting thing is how to diagnose this sort of
problem. The tools that immediately spring to mind are strace, ltrace,
tcpdump and netcat.
Lets start with strace. strace allows you to look at all system calls
made by a process. Combine this with a little bit of knowledge of
programming and you have an amazingly useful tool for diagnosing just
about any sort of problem on a Linux box. In this case we ran:
strace -t -p 3128 -f -o trace.out
where 3128 was the PID of the main sendmail process (use "ps axf" to
find that. I assume you know about the f flag to ps? Very useful ...).
The above sets -t which gives the time in seconds of each system call
(as we are looking for a timing problem), -f so that we "follow" child
processes as sendmail tends to fork a child for each connection and -o
to send output to a file.
Then connect to the sendmail daemon from the misbehaving client and
control-C the strace after the problem has happened. The trace.out
shows a big wait during a connect to port 113 on the client. We have
the answer! The problem was that the client was dropping all packets
to the auth port using a firewall rule. It should have been using
"reject" instead so that sendmail would get an immediate connection
refused rather than a 30 second wait.
If this has whetted your appetite for strace then I suggest that you
start playing with it now. Try "strace ls" and a few other progs. Get
used to the syntax of the output and how errors are handled. strace is
a fantastic tool but it isn't one that you can learn to use well in 5
minutes when you have a broken server and need to fix it. It is
something you need to get used to.
So what about those other tools I mentioned?
Well, ltrace would have been really useful if the strace hadn't
already solved the problem. ltrace is like strace but it shows all
library calls instead of system calls. That fantastic when you want to
see the gory details of how a program is working. It is also very
instructive to do an strace of ltrace to work out how ltrace works -
it's a really neat trick.
The other tool I used was netcat. netcat was used to confirm our
diagnosis by reproducing the problem. I ran the following as root
on a spare host:
nc -l -p 113
then did a "telnet server 25" from that host. We immediately saw the
ident connection from sendmail to the client and sendmail didn't give
its banner. As soon as we did a control-C on nc we got the banner from
sendmail. So we'd reproduced the problem.
netcat is a really great tool. I suggest that everyone gets it now and
reads the docs that come with it. It has a thousand uses (some of
which could get you in big trouble!). One of my favorites is teaching
people protocols by making then type them manually. Try this:
nc -l -p 8080
then connect to localhost:8080 with your favorite browser and see if
you can type in some HTML from memory. Cute hey?
Finally, I mentioned tcpdump. That's one that everyone should know how
to use. tcpdump is a packet sniffer and we could have solve the
sendmail/ident problem by just sniffing the connection between the two
hosts and noticing the syn from the server to the client on TCP port
113 that never gets a reply. strace is more fun :)
Cheers, Tridge
PS: rsync 2.3.2 is out.